Enterprise Cybersecurity Strategy Protects Those Who Protected Us

VA has an important mission that includes protecting the personal information of Veterans and mission critical data. The creation of the Enterprise Cybersecurity Strategy (ECSS) provides the approach to securely achieving this mission. The ECSS aligns with VA’s mission, core values, and the ChooseVA modernization initiative and aligns to VA efforts to implement the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the NIST Cybersecurity Framework, to improve information security and strengthen risk management processes to reduce VA’s cybersecurity risk.

VA, its core constituents, and external partners are subject to a wide variety of cyber threats. Given the high degree of connectivity, interdependence, and reliance on integrated open platform technology, meeting cybersecurity challenges requires strategic attention and collaboration across the entire VA ecosystem. The purpose of the ECSS is to guide enterprise-wide cybersecurity planning and risk-based decision-making. The ECSS directs VA leadership to act as cybersecurity resource stewards to identify and articulate requirements, standards, and opportunities for transformative cybersecurity improvements. The ECSS promotes collaboration, enables data protection, and provides resiliency in the face of a broad spectrum of threats through the realization of strategic cybersecurity goals:

Protect Veteran Information and VA Data

Data protection is an essential VA function that involves people, processes, and technology. VA must identify its high-value assets (HVA); understand its business processes and system interactions so that security and privacy protections can be applied commensurate with risk; and enhance awareness of safe information handling practices so that the VA workforce, Veterans, partners are equipped to help protect VA data and Veteran information.

Drive Resilient VA Cyberspace Ecosystem

VA needs to maintain critical functions in the face of inevitable breaches. While defense in depth remains essential, VA also needs to be resilient. Implementing the appropriate policies, procedures and technologies provides VA with the ability to maintain continuity of operations both during and after a cyber event, as well as evolving VA’s resiliency to better adapt to advanced cyber threats.

Protect VA Information Systems and Infrastructure

VA identifies and strengthens its mission critical systems and infrastructure, modernizes IT, and employs an integrated, resilient architecture. VA is also committed to leveraging cloud and federal shared services. VA not only integrates cybersecurity protections into VA information systems and networks, but also verifies that business associates are appropriately implementing protections within their systems.

Ensure Secure Operational Environment That Supports Effective Operations

For VA to operate effectively in the cyberspace domain, a secure operational environment is necessary. Such an environment is realized through efficient, agile acquisitions that help VA keep pace with evolving cyber threats and technological innovations, operates transparently and, to the extent possible, seamlessly; and is enabled by integration of information security capabilities and outcomes across enterprise governance, business operations, and technology architecture frameworks.

Recruit, Develop, and Retain a Talented Cybersecurity and Privacy Workforce

Strong cybersecurity capabilities require a cybersecurity workforce that is agile, multifunctional, dynamic, and flexible to adapt to an ever-changing threat environment. VA’s workforce planning capability and framework provide VA the data it needs to make fact-based decisions on cyber and privacy workforce recruitment, development, and retention.